Will It Blend? presented at Ruxcon 2010

by Billy Rios (Google),

Tags: Exploitation Security

URL : http://www.ruxcon.org.au/presentations/#wib

Summary : Today’s information systems are giant mesh of complexity. Typical consumer systems have large numbers of software created by different software manufactures installed on their machines. This mesh of software creates an ecosystem, where software is intertwined and in some cases dependant on each other. When one piece of the ecosystem gets out of line, it can have a dramatic effect on the ecosystem as a whole. A small vulnerability or even an ‘annoying’ behaviour from one piece of software can alter the behaviour of a 2nd piece of software, a behavior which a 3rd piece of software is depending on for a security decision.

Enter the world of blended vulnerabilities and attacks.

This talk will discuss the details of various ‘blended’ attacks and demonstrates the chaining of seeming low risk vulnerabilities and unusual design decisions from popular software together to create a higher risk exploit.

Billy Rios: Billy Rios is currently a security researcher for Google where he studies emerging security threats and technologies. Before Google, Billy was a Security Program Manager at Microsoft where he helped secure several high profile software projects including Internet Explorer. Prior to his roles at Google and Microsoft, Billy was a penetration tester, making his living by outsmarting security teams, bypassing security measures, and demonstrating the business risk of security exposures to executives and organisational decision makers. Before his life as a penetration tester, Billy worked as an Information Assurance Analyst for the Defense Information Systems Agency (DISA). While at DISA, Billy helped protect Department of Defense (DoD) information systems by performing network intrusion detection, vulnerability analysis, incident handling, and formal incident reporting on security related events involving DoD information systems. Before attacking and defending information systems, Billy was an active duty Officer in the United States Marine Corps. Billy has spoken at numerous security conferences including: Blackhat briefings, Bluehat, RSA and DEFCON. Billy holds a Bachelors degree in Business Administration, Master of Science degree in Information Systems, and a Master of Business Administration.